Mobile App Fraud Prevention & Security Elements
At the start of the 21st century, trend forecasters predicted that our homes would be full of desktop computers by now. Given how quickly we were all warming up to personal computing and internet technology, it was a reasonable expectation—but it failed to anticipate the rise of mobile devices. There’s no need to cover every available desktop surface with a computer when you’re walking around with a smartphone that can do whatever you need, but when it comes to cybersecurity most of us are still stuck in a PC computing mindset. As more and more shopping and payment processing is happening through phones and tablets, what can we do to promote a safe and fraud-free mobile payments environment?
The golden rule of fraud is that it follows the money. As consumers have warmed to mobile ecommerce, payment apps, e-wallets, and other technological conveniences, fraudsters have been right behind them, testing new systems for weaknesses and finding vulnerabilities in the hardware, software, and human behaviors that enable them.
To maintain growth and confidence in mobile ecommerce, industry leaders—including merchants—must pay close attention to the development of new fraud schemes and utilize the tools and defenses that can protect consumer data. Remember that nearly every fraudulent transaction eventually turns into a chargeback, and there is no reliable defense against true fraud chargebacks. For these types of disputes, prevention is the only cure that really works.
What is App Fraud?
One key difference between desktop PC security and mobile security is that in the former, you’re typically interfacing with your customers via a web page, but on a mobile device your customers are most likely connecting with you through a proprietary app. Securing a web page carried over an open, standardized protocol is a very different endeavor from building and securing a self-contained app from scratch.
Even if your app doesn’t store payment credentials or other financial data, breaking into it can be highly rewarding for fraudsters who might be looking for personal information to use in phishing or identity theft schemes. Account takeover attacks can be extremely lucrative because of all the various ways they can be leveraged, so don’t fool yourself into thinking that your app is too inconsequential to be targeted.
How can my Mobile App be more secure?
First of all, don’t go searching for that one weird trick that’s going to secure your mobile app against intrusions. Hackers rarely restrict themselves to a single angle of attack, so if you want to keep your data safe you’re going to need to deploy a multi-layered approach to security. Having more than one form of protection in place means that even if one or more of them fail, the others can still stop cybercriminals from delving any further.
A comprehensive approach to mobile security might involve two-factor authentication to keep out the password crackers, tokenization to protect sensitive data from exposure, and “smart” fraud detection logic to terminate fraudsters’ connections as soon as they start engaging in suspicious activity.
We can take a closer look at each of these elements.
For both account access and payment processing, you want to protect your users by requiring them to verify their identity through more than one method. Multi-factor authentication is extremely effective at stopping fraud. Many users are somewhat careless when it comes to creating strong passwords, and even the strongest passwords can be compromised when people share them or write them down.
Now, when a successful password entry prompts you to enter a code sent via email or SMS, that’s the end of the line for the vast majority of fraudsters.
In a payment processing context, simply requiring AVS and CVV matching will likewise screen out all the fraudsters who only have credit card numbers and expiration dates to work with.
Encrypted data is safer than data stored in plain text, but even encryption can be broken. Safer yet is tokenization—storing the raw data in a secure, remote location, and using placeholder data to reference it.
Digital wallets make good use of this technology. When you make a payment in this manner, the merchant receives only a randomized string of numbers, not your actual account number. Only the payment platform has the ability to trace it back to your card. If fraudsters hack into your app and steal tokenized data, they can’t do anything with it—they’d have to hack into the Apple Pay or Google servers to get the associated payment credentials, and that’s a heist that few hackers could even contemplate attempting.
The methods of fraud are constantly evolving, which means that even seemingly innocuous user behavior can sometimes be part of a scheme to exploit a script vulnerability or newly-discovered software bug.
Rules-based fraud detection logic, driven by artificial intelligence and machine learning technology, may be the answer to stopping emergent fraud methods before they can do real harm. Advanced fraud detection tools can trace geolocation, engage in velocity checking, analyze user behavior, and identify patterns consistent with fraud. With the right analytics, these tools can identify and block fraudsters in real time.
App development can be a slow and bumpy process, so while it may not be feasible to add all of these features into your next update, they represent the current state of best practices for mobile security and should be incorporated, where applicable, as a priority.
Never forget that fraud protection and chargeback prevention go hand in hand—you can’t really have one without the other. By providing top of the line mobile security and protecting your customers from fraud, you’ll reduce your true fraud chargebacks and be able to focus more on preventing and fighting illegitimate chargebacks, like friendly fraud.
We’re still in the middle of the great migration away from the desktop, but it could be just a few short years before a new generation of digital natives brings an end to computing’s long association with desks and chairs. In the meantime, we can start shifting more of our thinking around cybersecurity toward mobile platforms and begin adapting to the tools and habits that will keep our data safe in the days ahead.